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This paper introduces quantum multiparty protocols 
which allow the use of temporary assumptions. We prove 
that secure quantum multiparty computations are possible 
if and only if classical multi party computations work. But 
these strict assumptions are necessary only during the execu- 
tion of the protocol and can be loosened after termination of 
the protocol. 

We consider two settings: 

1. A collusion of players tries to learn the secret inputs 
of honest players or tries to modify the result of the 
computation. 

2. A collusion of players cheats in the above way or tries 
to disrupt the protocol, i. e., the collusion tries to abort 
the computation or leaks information to honest players. 

We give bounds on the collusions tolerable after a protocol 
has terminated and we state protocols reaching these bounds. 

03.67.-a, 03.67.Dd, 89.70.+C 



I. INTRODUCTION 

Due 

to the no-g o theorems of Mayers and Lo/Chau [ p8|j24| 
and Lo |23| quantum cryptography cannot — with uncon- 
ditional security — implement bit commitment, oblivious 
transfer and many other important two party protocols. 

Here we give an analysis of the case of multiparty pro- 
tocols. 

We will investigate two settings. First multiparty pro- 
tocols which we call partially robust, which can tolerate 
all forms of cheating, but can be aborted by a collusion 
of disruptors and secondly we will consider multiparty 
protocols which are robust even against disruption p9| . 

In the case without disruption classical multiparty pro- 
tocols can yield unconditional security against all possi- 
ble forms of cheating if a majority of the players is hon- 
est and one assumes private channels between any two 
parties as well as a broadcast channel [p| JTo|j3^ |. More 
general for every set of possibly colluding parties secure 
multiparty computations are possible if no two collusions 
cover the total set of players jl6| . 

From the no-go theorems for quantum two party proto- 
cols it can be concluded that there exist functions which 
cannot be realized by secure quantum multiparty pro- 
tocols if two sets of possibly colluding parties cover the 
complete set of players. If the possible collusions are only 
defined by their cardinality multiparty protocols using 



quantum cryptography become insecure if not a major- 
ity of players behave honestly. 

Still quantum multiparty protocols have advantages 
over classical multiparty protocols. In this paper we 
prove that the assumptions about possible collusions can 
be loosened after the execution of the protocol. Wc 
present protocols where a majority may become dishon- 
est after the protocol has terminated. Furthermore we 
give a limit on the collusions which are tolerable after 
the execution of the protocol. These bounds depend on 
the collusions which are tolerable during the execution of 
the protocol. 

In the case with disruption we need that no two possi- 
ble collusions cover all but one players, i. e., the cardinal- 
ity of the union of two collusions never reaches n — 1 for 
\P\ = n. Given this assumption we can again prove that 
the assumptions about possible collusions can be loos- 
ened after the execution of the protocol. We also give 
limits on the collusions which are tolerable after the ex- 
ecution of the protocol and prove that these limits are 
tight. 

We will restrict our view mostly to realizing a bit com- 
mitment from one party (called Alice) to a party named 
Bob. For our impossibility results we simply prove that 
relative to the given assumptions there cannot exist a 
multiparty protocol realizing a bit commitment from Al- 
ice to Bob. This implies that under the given assump- 
tions there exist functions which cannot be computed se- 
curely. For the constructive results it is again enough to 
look at bit commiment, because with a result of Yao Q] 
we can realize an oblivious transfer channel using a quan- 
tum channel and bit commitments. With such an obliv- 
ious transfer channel between every pair of players we 
can realize mul tiparty computations, even with a dishon- 
est majority Jl| Jb| , [l3| , ^9|] . Our concern will hence be to 
characterize the assumptions relative to which a bit com- 
mitment between two of the players becomes possible. 

The structure of the paper is as follows. In Section || 
we will review definitions and known results on classi- 
cal multiparty protocols and secret sharing techniques 
as far as we need them to prove our results. Next, in 



Section III we review the impossiblity of quantum bit 
commitment in the two party scenario |2q,| 



We give 

some generalizations to the situation of multiparty pro- 
tocols. In Section |w| we stress the cryptographic im- 
portance of assumptions which can be loosened after a 
limited time, so c alled temporary assumptions. Then in 
the Sections |y|]v| 



VII we give protocols which allow tem- 



porary assumptions in secure multiparty computations. 
The main idea is to use a classical secret sharing scheme 
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as a bit commitment protocol to force honest measure- 
ments. We show that, after the honest measurements are 
performed, the assumptions about possible collusions can 
be loosened. 



II. CLASSICAL MULTIPARTY PROTOCOLS 
AND SECRET SHARING 

A. Classical Multiparty Computations 

In a multiparty protocol a set P of players wants to cor- 
rectly compute a function f(a±, . . . , a n ) which depends 
on secret inputs of n players. Some players might col- 
lude to cheat in the protocol as to obtain information 
about secret inputs of the other players or to modify the 
result of the computation. 

When we look at the infrastructure available for the 
players we are mainly interested in three settings. First, 
there are private and authenticated channels between ev- 
ery pair of players and each player has a broadcast chan- 
nel, second, every pair of players is connected by an obliv- 
ious transfer channel and a broadcast channel is available 
for everyone, and third, which is the setting for the re- 
sults of this paper, every two players are connected by a 
quantum channel and an insecure but authenticated clas- 
sical channel plus every player has access to a broadcast 
channel. 

In multiparty computations we have to make some as- 
sumptions about possible collusions. We model possible 
collusions by defining a set of collusions. Only one of 
these possible collusions is actually cheating. Within this 
set of colluding players the players share their input and 
take actions based on their common knowledge. 

Definition 1 An adversary structure is a monotone set 
A C 2 P , i. e., for a subset S' of a set SCP the property 
S S A implies S' G A. 

The main properties of a multiparty protocol are: 

1. A multiparty protocol is said to be A- secure if no 
single collusion from A is able to obtain information 
about the secret inputs of other participants which 
cannot be derived from the result and the inputs of 
the colluding players. 

2. A multiparty protocol is A-partially correct if no 
party can let the protocol terminate with a wrong 
result. 

3. A multiparty protocol is A- correct whenever no sin- 
gle collusion from A can abort the protocol, modify 
its result, or deviate from the protocol in a way that 
an honest player obtains information about the se- 
cret inputs of another player which cannot be de- 
rived from the result and the input of this honest 
player. 



4. A multiparty protocol is called A-fair if no collu- 
sion from A can reconstruct the result of the multi 
party computation earlier then all honest partici- 
pants together. No collusion should be able to run 
off with the result. 

A multiparty protocol having the properties 1., 2. and 
4. is called A-partially robust and a protocol having all 
three above properties is called A-robust. 

Whenever we are only concerned with partially robust 
protocols we will abort the protocol whenever a player 
complains about another player. Only robust protocols 
must be able to cope with conflicts between players. 

Note that we allow only one collusion from A to cheat. 
Furthermore active cheaters are always be considered to 
be passively cheating, too. 

Sometimes one thinks of all players being equivalent 
in their trustability, then adversary structures are solely 
defined by the cardinality of the collusions. When refer- 
ing to an adversary structure which contains all subsets 
of P with no more than t players we denote the above 
properties by (?)-secure, (")- (partially) correct, (™)-fair, 
and (?) -robustf]. 

B. Multiparty Computations with Private Channels 

We will summarize next what can be achieved by clas- 
sical multiparty computations when private channels are 
available between any two players as well as a broadcast 
channel. The next result is taken from 

Theorem 2 Given a set P of players with a secure and 
authenticated channel between each pair of players to- 
gether with a broadcast cannel, then every function can 
be computed by an A-partially robust multiparty protocol 
if no two sets from A cover the complete set P of players. 

Remark 3 There exist functions for which a multiparty 
protocol among players who have access to a broadcast 
channel and have secure and authenticated channels con- 
necting every pair of players cannot be A-robust if two 
collusions cover P \ {Pi} for some player Pi. 

Proof: If the players of two possible collusions 
A\,A% € A covering P \ {Pi} cannot cooperate then it 
is not clear for Pi which collusion is cheating. To con- 
tinue with the protocol all messages between players who 
are complaing about each other have to be exchanged 
over the broadcast channel or over secure channels via 
Pi. Obviously Pi learns all secrets or the protocol must 



1 Sometimes the terms t-secure, (partially) correct, t-fair, 
and i-robust are used for ( t ™ 1 )-secure, ( t " 1 )-correct, ( t ™ x )- 
fair, and ( t ™ 1 ) -robust 
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be aborted. In both cases the protocol is not A- robust. 
□ 

As a corollary we state the classic result from p|JlO| 
which was generalized to the situation with broadcast 
channel in j32| . 

Corollary 4 Given n players which have a secure and 
authenticated channel between each pair of players to- 
gether with a broadcast cannel, then every function can 
be computed by a (") -partially robust multiparty protocol 
if t < n/2, i. e., if a majority is honest. 

C. Secret Sharing 

One important primitive of classical multiparty proto- 
cols is secret sharing which was introduced in (3^J^| . The 
aim of a secret sharing scheme is to allow a dealer to dis- 
tribute shares si, S2, . . . , s n , which represent one secret 
value x, to a set P of players such that only certain au- 
thorized subsets of P can reconstruct the secret x whereas 
all other subsets of P can't get any information about x. 
Of course every subset of P containing an authorized set 
must also be authorized. This leads to the definition of 
an access structure. 

Definition 5 An access structure is a set Z C 2 P for 

which for subsets S' 3 S of P the property S G Z implies 
S' EZ. 

An acess structure is "dual" to an adversary structure. 
If A is an adversary structure then the set {A c |yl G A} 
forms an access structure. 

The first access structures which were studied were de- 
fined by the cardinality of their minimal authorized sets. 
Later secret sharing schemes were constructed for arbi- 
trary access structures fl^||. 

For our protocol it is especially important to be able 
to keep the dealer from deliberately handing out faulty 
shares. Shares which do not match the agreed on access 
structure. 

This problem can be overcome by verifiable secret shar- 
ing j^|l(]M|l6| which allows a verifier (e. g. each individ- 
ual player) to check if a share he received is a valid share. 

As we will use it later we sketch a verifiable secret 
sharing scheme from Q] which can be used for every ho- 
momorphic secret sharing scheme. I. e., for every scheme 
where the secrets form an additive group and sharing is 
a group homomorphism. 

Verifiable Secret Sharing(m) 

1. Alice shares a secret m with access structured. 

2. for j = 1 to k do 

(a) Alice shares a random secret z with the access 
structure Z. 



(b) The verifier tells Alice to either open z or z © 
m. 

(c) Alice publishes the shares for zorzfflm. 
od 

If no player complains about the shares Alice publishes 
and if the shares published were correct shares then the 
verifier is convinced that all honest players hold correct 
shares. 

It is clear that the secret m is shared correctly if z is 
shared correctly and z © m is shared correctly. A dis- 
honest dealer will be caught cheating with a probability 
of | in every of the k iterations. Hence the probability 
to pass this test with an incorrectly shared secret is 2~ k 
and thus negligible in k. 

D. Multiparty Computations with Oblivious 
Transfer 

Given an oblivious transfer channel all secure two party 
com put ations become possible with unconditional secu- 
rity |22j] . This result was generalized to allow multiparty 
computations with a dishonest majority One 
obvious problem with such protocols is that if a majority 
of players cannot run off with the secret, i. e., they can- 
not reconstruct the secret on their own, then a minority 
of players can abort the protocol. For this reason we de- 
fined a multiparty protocol to be A-partially correct if no 
collusion from A can make the protocol terminate with 
a wrong result. 

The result of @@E!1 

can then be stated as 

Theorem 6 Given an oblivious transfer channel between 
any two players as well as a broadcast channel, then every 
function can be realized by a ^-robust, 2 P -secure, 2 P -fair, 
and 2 P -partially correct multiparty protocol. 

In multiparty protocols the inputs are usually shared 
by a secret sharing scheme and the result is computed 
locally on the shares and by sharing intermediate re- 
sults. In Ji],[l4|,[l3| the players are committed to the shares 
they hold. The computation in p3[ uses a global com- 
mitted oblivious tranfer, which is constructed there, to 
implement NOT and AND gates directly on the commit- 
ments. As the players are unable to cheat in the global 
committed oblivious tranfer and the players cannot open 
their commitments faultily every form of cheating is de- 
tectable. The only problem is that it is not always clear 
who is cheating. In Q more robust protocols based on 
oblivious transfer were analyzed. There is a trade off be- 
tween robustness and security as stated in the following 
result which are taken from j29]. 

Lemma 7 Let P be a set of n players with every pair of 
players being connected by an oblivious transfer channel 
and every player having access to a broadcast channel. 
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Let A and A be adversary structures, then for all func- 
tions A-robust and A-secure multiparty protocols exist if 

1. the adversary structure A does not contain two sets 
covering P \ {Pi} for any Pi G P and 

2. the adversary structure A contains only the com- 
plement of one previously chosen set B which is 
maximal in A. 

For a proof see Q 

In the above result one can see the trade off between 
robustness and security. The smaller A can be chosen 
the larger A will be. 

Corollary 8 The protocol of Lemma for the computa- 
tion of a function f(a±, . . . , a n ) is efficient in the number 
of players and the size of the circuit used to calculate 
f(ai, . . . ,a n ). 

For a proof see Q . 

III. NO-GO RESULTS 

A. Quantum Bit Commitment Is Impossible 

In this section we will shortly review the impossibility 
of quantum bit commitment as proven by Mayers and 
Lo/Chau. 

Definition 9 A bit commitment protocol is a protocol 
consisting of two phases: commit and unveil. Ln the 
commit phase Bob obtains information from Alice which 
binds her to a certain bit b. Ln the unveil phase Alice 
opens b to Bob and proves to Bob that the commitment 
bound her to the bit b. 

A bit commitment protocol must have two properties: 

1. binding, i. e., after committing Alice can, without 
the help of Bob, only unveil one fixed bit b. 

2. concealing, i. e., without the help of Alice Bob can- 
not know the bit b Alice committed to. 

To show the impossibility of quantum bit commitment 
one proceeds in two steps 

1. First one shows that for each quantum protocol 
there exists a protocol which keeps all actions at the 
quantum level and postpones all measurements and 
random choices until shortly before unveil. This 
protocol is secure (binding and concealing) if and 
only if the original protocol was secure. 

2. Then it is proven that (in the new protocol) either 
Bob can from his part of the quantum state dis- 
tinguish between a comitted zero and a committed 
one (the protocol is not concealing) or Alice can 
with a quantum transformation change her part of 



the quantum state from a superposition of commit- 
ments to zero into a superposition of commitments 
of one (and vice versa). 



A key insight in the impossibility proofs given in 




was that for each quantum protocol which involves mea- 
surements, random choices, and classical communication 
one can construct an equivalent protocol which has all 
measurements and random choices postponed to shortly 
before the unveil phase. With this reduction it is possible 
to treat the result of the commit phase as being a pure 
quantum state shared by Alice and Bob. 

We will shortly explain the attack in more detail. Spe- 
cial emphasis is put on on classical communication dur- 
ing the protocol, as it involves measurements. But again 
these measurements can theoretically be delayed. 

Alice behaves like she wants to honestly commit to 
zero and Bob behaves like an honest Bob, but all deci- 
sions which have to be made in the course of the protocol 
will no more be based on measurement results (or ran- 
dom choices), but will be done by conditional quantum 
gates |i~5| hence keeping all possibilities in superposition 
up to the measurement shortly before the unveil phase. 
Random choices are done in the same way, instead of fix- 
ing one value all possible values should be created in su- 
perposition. The most critical part of the reduction con- 
cerns classical communication. To get this classical data 
one must perform a measurement but even this measure- 
ment can be delayed to shortly before the unveil phase 
without changing the security of the protocol. Instead 
of measuring a qubit Alice entangles this qubit with two 
new qubits such that all three qubits give the same mea- 
surement result in the basis which should be used for the 
measurement (this is done by two controlled not) and 
sends one of these new qubits to Bob. This way Bob gets 
the information, and Alice can measure what informa- 
tion Bob got, but these measurements can be postponed 
without changing the security of the protocol. 

If both parties follow this technique to keep everything 
at the quantum level, then the protocol will deliver, after 
the commit phase, a pure state shared by Alice and Bob. 

This pure state l^a) appears on Alice side as a mixture 
PAUce,o (the index zero reminds us that Alice has com- 
mitted to zero, the states |\E'i) and pAHce,i correspond 
to a commitment of one). On Bobs side the pure state 
appears as pBob- 

Now we can import a result from Jl7j . 

Theorem 10 (Hughston, Jozsa, and Wootters) 

Given two pure quantum states \ip) and \<p) shared be- 
tween Alice and Bob which appear as the same state p on 
Bob's side, then there exists a unitary transform 
which acts on Alices part of the quantum system only and 
changes to \ip}. 

This result was generalized by Mayers to the case 
where and do not appear as the same state on 
Bob's side but as states which are very close to each 
other |||. 
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In the case of bit commitment this says that either 
the bit can be measured on Bob's side, i.e., pBob looks 
different for and l^i), or Alice can change from 

|^o) to |$i) by a unitary transform Wo,i on her part of 
the quantum system. 

We can conclude the impossibility result from p8|,E3. 



Theorem 11 (Mayers, Lo/Chau) A quantum proto- 
col for bit commitment cannot be binding and concealing. 

To cheat in the actual protocol it is of course not nec- 
essary that both parties keep their decisions at the quan- 
tum levels. It is enough if the party being able to cheat 
does so. See also Lemma FL5|. 



B. Bounds on Tolerable Adversary Structures 
During the Execution of a Protocol 

With the impossibility results for the two party case 
one can as well show that quantum cryptography cannot 
enhance classical bounds for the set of tolerable adver- 
saries Jl6[ . 

Corollary 12 Let P be a set of players and let A be an 

adversary structure. If there exist two possible collusions 
A\, A 2 G A with A\ U A2 — P then not all functions can 
be computed A-partially robustly by a quantum multiparty 
protocol. 

Proof: We show that it is impossible to realize a bit 
commitment for a party Alice G Ai and Bob G A 2 . This 
is simple as we are almost in the two party scenario: As- 
sume the collusion A 2 can by no means measure the bit 
Alice committed to, then the collusion A\ can, by keeping 
every action at the quantum level cheat analogously to 
the two party situation, i.e., there exists a unitary trans- 
form £/o-*i which can change the bit Alice is committed 
to. The transform t/o^i must be jointly applied by all 
players in A\ □ 

Corollary 13 There exist functions which cannot be 
computed (™) -partially robustly by a quantum multiparty 
protocol ift> n/2. 

If we consider robustness we have to take into account 
more deviations from the protocol. A collusion of players 
could for example leak their secret (quantum) data to a 
player not in the collusion. Such an attack further limits 
the set A of possible collusions. 

Corollary 14 Let P be a set of players and let A be an 

adversary structure. If there exist two possible collusions 
Ai, A 2 G A with Ai U A 2 = P \ {P t } for any player P iy 
then not all functions can be computed A-robustly by a 
quantum multiparty protocol. 



Proof: Assume there exists a Pj G P with P = A\ U 
A 2 U {Pi} for Ai,A 2 G A. We would like to implement 
a bit commitment from a player from A 2 to the player 
Pi. To prevent the players from A 2 to jointly change the 
committed bit it must be possible for the players of A\ U 
{Pi} to measure the committed bit. Only the assumption 
that Pi does not collude with the players of A\ makes 
this attack impossible. If the player Pi is honest but 
curious and keeps everything at the quantum level, then 
he would be able to measure the committed bit if all 
players of the set Ai would together keep all their actions 
at the quantum level and later on give all their quantum 
information to the player Pi. 

Even though the player Pi does not collude with the 
players from Ai we cannot keep the players from A\ from 
deviating from the protocol in giving away their secret 
data. □ 



C. Bounds on Tolerable Adversary Structures After 
the Protocol Terminated 

During the execution of a protocol we must use the 
same assumptions as in classical multiparty protocols to 
obtain unconditional security. We will next prove bounds 
on the set of tolerable collusions after a protocol has 
been finished. In our case: after the commit phase of a 
commitment protocol has terminated. Interestingly these 
bounds are different. 

To apply the attack of Mayers and Lo/Chau Alice need 
not keep every action at the quantum level. She can per- 
form measurements which yield not enough information 
to, together with the quantum information Bob has, be 
able to distinguish between the commitments zero and 
one. In short Alice can perform any measurement whose 
result she could tell Bob without giving away her secret 
commitment. 

Lemma 15 : Let \^\f) be a pure quantum state shared 
between Alice and Bob which is the result of a quantum bit 
commitment protocol which was executed at the quantum 
level. 

If Alice can change the bit she committed to by a uni- 
tary transform Uq— ,1 on her part of\^b) then she can still 
change the bit after she performed a measurement on her 
part of the quantum state if the information obtained by 
this measurement together with the quantum information 
Bob holds does not allow to distinguish between the com- 
mitments zero and one. 

Proof: One can define a bit commitment protocol 
where Alice has to perform this measurement and send 
the information measured to Bob. As Bob can still not 
distinguish between the commitments zero and one the 
attack of Mayers, Lo/Chau applies and there exists a 
unitary transform changing the bit. □ 

This simple result helps us to prove that temporarily 
having an honest but curious third party does not allow 
us to implement bit commitment [BjJ. 
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Lemma 16 Bit commitment may be implemented be- 
tween Alice and Bob if we introduce a trusted third party, 
but the assumption of having an honest but curious third 
party is not a temporary assumption. 

Proof: If the honest but curious party remains inde- 
pendent of the two parties Alice and Bob bit commitment 
can be implemented by classical multiparty protocols. 

Now assume the honest but curious third party joins 
Alice or Bob after the commit phase is completed. 

The honest but curious third party will follow the pro- 
tocol, but leave everything in superposition which need 
not be sent away as classical data. So the third party 
will perform some measurements. The third party can 
join Bob afterwards and Bob should still be unable to 
recover Alices bit. Hence the third party did only ob- 
tain measurement results which are of no use for Bob. 
Hence if the third party joins Alice we are in the situa- 
tion of Lemma [15]. Alice together with the third party 
can jointly perform a unitary transform which changes 
the bit Alice committed to. □ 

Lemma [l6] can be generalized to the multiparty sce- 
nario. 

Proposition 17 There exist functions for which no 
quantum multiparty protocol, which is partially robust 
against the adversary structure A can afterwards become 
secure against an adversary structure which contains two 
complements of sets in A. 

Proof: Let Ax, A 2 6 A denote two sets of possibly col- 
luding players and let A be an adversary structure con- 
taining the complements of A\ and A 2 . We show that 
it is impossible to implement an oblivious transfer from 
Alice £ A\ to Bob £ A 2 which is ^4-partially robust and 
^4-secure after termination. Assume such an oblivious 
transfer were possible then we could with it implement a 
bit commitment from Alice to Bob which is „4-partially 
robust during the commit phase and ,4-partially robust 
up to the unveil phase. This is easy to see as after termi- 
nation of the commit phase security is the only critical 
issue. The data computed during the commit phase can- 
not be changed any more and fairness is not of interest 
until the unveil phase. 

It remains to be proven that a bit commitment from 
the player Alice £ A\ to the player Bob £ A 2 \ A\ is im- 
possible. We look at the sets Ax, A 2 \A X and P^AxUA^) 
and prove the impossibility analogously to Lemma Hq. 
During the execution of the commit phase the protocol 
is .A-partially robust hence we can assume that the play- 
ers in Ax or the players in A 2 \ Ax collude and we still get 
a valid commitment from A\ to A 2 \A\. Now we assume 
the protocol to become .A-partially robust afterwards. 
Then all players from P \ (Ax U A 2 ) may join the players 
from A 2 \ Ax and the bit commitment remains concealing 
even if the players from A 2 \ Ax were colluding. Hence all 
quantum information in the posession of the players from 
P\(AxUA 2 ) are of no use to Bob. According to Lemma |l~5| 



the players from Ax U P \ (Ax U A 2 ) = P \ A 2 = A% can 
change the committed bit. Hence the bit commitment is 
not „4-partially robust between commit and unveil. □ 

Corollary 18 There exist functions for which no (")- 
robust quantum multiparty protocol can become ( n ™ t )- 
robust after its execution. 

IV. TEMPORARY ASSUMPTIONS 

Usually assumptions have to be made very carefully, 
because they implicitely try to predict future develope- 
ments. The assumptions must be valid as long as the 
secret information is critical. 

Temporary assumptions are hence very promising. 
There was little research into temporary assumptions in 
quantum cryptography after it became clear that com- 
putational assumptions cannot be used only temptorar- 

iiy§- 

But quantum cryptography allows assumptions which 
are independent of computational assumptions. Such as- 
sumptions can be temporary. 

The key idea to get temporary assumptions is to not 
try to make the transformation Uo,x, which can change 
the committed bit, impossible, but to make it impossible 
for the parties (at least for the party able to cheat) to 
keep all actions at the quantum level. 

E. g. Alice can trivially not cheat in the protocol of j|] 
if she has no quantum storage, even if quantum storage 
became available to her after the commit phase. 

Assumptions which have the same effect are: limited 
quantum storage capacity and limited storage time for 
quantum bits as well as assumptions about decay intro- 
ducing errors. Such assumptions need only hold during 
the execution of the protocol. 

V. FORCING MEASUREMENTS WITH SECRET 
SHARING 

In Yao proved that it is possible to obtain oblivious 
transfer from a black box bit commitment and a quantum 
channel. The idea goes back to Crepeau [[n] and was 
generalized to quantum channels which can have noise 
by Mayers |§5| . 

The basic idea is to force measurements to avoid the 
attacks of Mayers and Lo/Chau and Lo |28| , p^ , p3| . In 
the course of the protocol one party has to commit to the 
measurment bases used and to the results obtained. Then 
a random subset of these measurments are opened. If 
there are not too many discrepancies one can be sure that 
the committing party did measure most of the qubits. 
This already suffices to make the delay of all measure- 
ments impossible hence avoiding the attacks of Mayers 
and Lo/Chau and Lo [|4]j2f|. But one has to be care- 
ful if the bit commitment used is strong enough to force 
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measurements. The unconditionally secure bit commit- 
ment of Kent is not suitable as Kent proved in |2(| . 

The main requirement for a bit commitment to be able 
to force measurments is that committing to a bit b must 
be equivalent to giving the classical bit b to a trusted 
third party. Committing to a measurement result ac- 
cording to |54 25 1 implies an irreversible measurement 
as otherwise the cheater and the trusted third party to- 
gether could violate the Heisenberg uncertainty. 

In this section we will show that secret sharing can be 
used like a black box bit commitment to force measure- 
ments using the protocols of |34|]25| ]. 

If we use, instead of bit commitment, secret sharing 
with an access structure Z and let A be the set {^4|A C 6 
Z} then we have the following properties: 

1. the bit commitment based on secret sharing is con- 
cealing given only a collusion of {A\A £ Z} is 
cheating. 

2. The bit commitment based on secret sharing is 
binding if only one collusion of A is cheating. 

3. The bit commitment based on secret sharing is 
equivalent to announcing the bit to a trusted third 
party whenever only one collusion of A is cheating. 

The first two points of this enumeration follow directly 
from the properties of secret sharing schemes. Now we 
look at the third point. According to the assumption that 
only one collusion of A cheats we know that there exists 
a set M of honest players able to reconstruct the shared 
secret. As all players of M are honest the committing 
player (Alice) had to honestly transmit all the shares of 
the players of M. These shares already fix the committed 
bit and hence handing out those shares is equivalent to 
announcing the bit to a trusted third party. From this 
the next result follows without further proof. 

Lemma 19 Let A be an adversary structure and let Z 
be an access structure such that A = {A\A C 6 Z}. Then 
secret sharing with access structure Z can be used to ob- 
tain A-partially robust oblivious transfer from any player 
to the dealer. The protocol is {A\A ^ Z}-secure. 

After the measurements are irreversibly performed and 
the quantum attacks are impossible the bit commitment 
used need not be binding any more. Only the concealing 
property is still needed. For secret sharing the require- 
ments for binding and concealing are different as seen in 
the enumeration above. So after all measurements are 
performed, especially after termination of the protocol, 
only collusions from {A\A $ Z} can cheat in the oblivi- 
ous transfer. 

Of course we want oblivious transfer not only from 
one party to a set of players, but between every pair of 
players. The next section will give a detailed analysis of 
this situation. 



VI. PARTIALLY ROBUST PROTOCOLS FOR 
OBLIVIOUS TRANSFER 

We will next give a detailed analysis of the situation 
where we have a set P of players together with an ad- 
versary structure A and every player should be able to 
share a secret among the other players. 

We are only concerned with partially robust protocols 
here. Whenever a player complains about another player 
we will abort the protocol. Robust protocols will be pre- 
sented in the next section. 

Lemma 20 Let P be a set of players for which each pair 
of players is connected by an authenticated secure channel 
and every player has access to a broadcast channel. Let 
A be an adversary structure for which no two collusions 
cover the set P of players. Then a bit commitment be- 
tween any pair of players is possible which is A-partially 
robust and {A C \A ^ A} -secure. 

Proof: We will let Alice commit to a bit string m € 

{o,i} fe . 

Commit via Secret Sharing(m) 

1. Alice sends Bob a random string r£ {0,1}'. 

2. Alice shares the string m(Br using a secret sharing 
scheme with access structure Z = {Z\Z C $ A}. 

This protocol shares Alices secret m with the access 
structure Z n {M C P|Bob E M}. If the receiver Bob 
is honest this protocol can be used to force measure- 
ments ^4-partially robustly (Lemma |l9| ) and if Bob is not 
honest then we cannot prevent a dishonest sender from 
colluding and changing the committed bit together with 
the receiver of the bit commitment. No bit commitment 
scheme can. 

The unveil protocol is essentially a reconstruction of 
the shared secret. 

Unveil 

1. Alice announces the shares she sent. The players 
from P confirm the shares and Bob can then recon- 
struct m from his knowledge of r. 

□ 

We can improve the security a little bit further by not 
allowing every player to commit a bit via secret shar- 
ing. To obtain oblivious transfer between every pair of 
players it is enough that for every pair of players one of 
them can commit to the other as oblivious transfer can 
be inverted fll2| |. 

Lemma 21 Let P be a set of players for which each pair 
of players is connected by an authenticated secure channel 
and every player has access to a broadcast channel. Let 
A be an adversary structure for which no two collusions 
cover the set P of players and let M be any maximal set 
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in A. Then for every pair of players a bit commitment is 
possible for one of the players to the other player which 
is A-partially robust and {A C \A <j£ A} U M c -secure. 

Proof: The partial robustness is the same as claimed 
by Lemma so we need to prove only the improved 
security. 

We have to see first that {A C \A A] U M c is an ad- 
versary structure. The set {A C |A $ .4} is an adversary 
structure and it contains all proper subsets of M c . Hence 
the set {A C |A £ A}U M c is an adversary structure, too. 

To obtain the higher security we choose for every pair 
of players one player who shall commit to the other. Let 
Alice and Bob be a pair of players for which either Alice, 
BobG M, Alice, Bob^ M or AliceG M and Bob^ M. 
Otherwise exchange the names of the players. 

We will see that the bit commitment from Lemma ^ 
between any two players Alice and Bob is {4 C |4 
.4} U M c -secure if used in the above defined direction. 
As Lemma |2(] already proves the {4 C |4. ^ .4}-security 
we are left with proving the security against the possible 
collusion M c . 

A collusion can only cheat if it is an authorized set able 
to recover a shared secret and if it contains the receiver of 
the bit commitment as the shared secret is encrypted by 
a key r only known to the sender and the receiver of the 
bit commitment. If the collusion contains the sender of 
the bit commitment then the committed bit can already 
be derived from the inputs of the colluding players and 
no security is lost. 

The direction of the bit commitment is chosen in a way 
that M c either contains the sender of the bit commitment 
or it does not contain the receiver of the bit commitment 
and hence M c is not able to reconstruct a secret bit in 
the bit commitment protocol. □ 

From Lemma |l9|, Lemma ^l] , and |l2| we get the fol- 
lowing result about oblivious transfer. 

Corollary 22 Let P be a set of players for which each 
pair of players is connected by an authenticated secure 
channel and every player has access to a broadcast chan- 
nel. Let A be an adversary structure for which no two 
collusions cover the set P of players and let M be any 
maximal set in A. Then an oblivious transfer is possible 
between every pair of players which is A-partially robust 
and {A C \A A} U M c -secure. 



VII. ROBUST PROTOCOLS FOR OBLIVIOUS 
TRANSFER 

In this section we will additionally consider players who 
try to disrupt the bit commitment protocol. In addition 
to the forms of cheating partially robust protocols can 
cope with we have that some players can leak out infor- 
mation to players not contained in their collusion or some 
players can claim that some other players do not follow 



the protocol or they can themselves refuse to send or to 
receive messages. 

If one looks at a secret sharing scheme step by step 
the only deviations of the protocol possible, which do 
not immediately give away the identity of the disruptor, 



1. Some players might not keep their shares secret. 

2. Some players complain that the sender presents dif- 
ferent shares in the reconstruction phase then these 
players originally received. 

3. Some players can claim to not receive any proper 
shares, e. g. empty shares. 

This enumeration remains complete even if we consider 
verifiable secret sharing as we essentially iterate secret 
sharing toge ther with some local computations (see Sub- 
section II C ). 

If a disruption yields that the sender and the receiver 
of a bit commitment are in conflict then we will abort 
this bit commitment. We will not yet realize bit com- 
mitments between players who are in conflict with each 
other. We will later use multiparty protocols to obtain 
bit commitment and oblivious transfer between players 
who are in conflict. 

Next we will give a bit commitment scheme based on 
verifiable secret sharing which can cope with disruption. 
Shares of complaining players will be published, but we 
will see that this does not harm the security. Thye num- 
ber k is a security parameter. 



Commit via Secret Sharing(m) 

1 . Alice shares the secret m © r with the access struc- 
ture Z and sends r to Bob. 

2. A set A complains about the shares they receive. 
These shares will be published by Alice 

3. A oU ■= A 

4. repeat 

(a) for j = 1 to A; do 

i. Alice shares a random secret z with the 
access structure Z. 

ii. Bob tells Alice to either open z or z©m© 
r. 

iii. Alice publishes the shares for z or 2© rn© 
r. A set Aj of players complains about 
these shares. 

iv. A := A U Aj 
od 

(b) If A A then Alice is detected cheating else 
Alice has to publish the shares for the secret 
m ffi r for all players in A. 
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5. until A. 



■Id 



A. 



Lemma 23 Let P be a set of players and let A be an 
adversary structure for which no two collusions cover the 
set P \ {Pi} for any player Pi and let M be any maximal 
set in A. Then a secret which is shared among the players 
of P according to the above protocol with access structure 
Z = {Z\Z C e A} remains to be {A C \A £ A}l)M c -secure 
even if a collusion of A publishes their shares. 

Proof: The security of a bit commitment scheme is 
only relevant if the sender is honest. So we can assume 
throughout the proof that the secret is properly shared. 

Because no two collusions of A cover P \ {Pi} every 
set of the access structure Z = {Z\Z C 6 ^4} contains at 
least two honest players. So even if all players of a col- 
lusion A € A leak their shares the secret remains shared 
among at least two honest players and no single honest 
but curious player gets to know a secret. □ 

Lemma 24 Let P be a set of players for which each pair 
of players is connected by an authenticated secure channel 
and every player has access to a broadcast channel. Let 
A be an adversary structure for which no two collusions 
cover the set P \ {Pi} for any player Pi and let M be any 
maximal set in A. Then for every pair of players, who 
will not be in conflict after the protocol, a bit commitment 
is possible from one of the players to the other player 
which is A-robust and {A C \A A} U M c -secure. 

Proof: We are proving our claim using the above pro- 
tocol. Whenever the receiver of the bit commitment 
complains about the sender then we need not be able 
to implement a bit commitment hence in the following 
we analyse only conflicts between the sender of the bit 
commitment and players other than the receiver. 

We consider two cases. 

First: Alice is honest, then every complaint about Al- 
ice comes from a cheater and Alice publishes the share 
the cheater complained about. So every complain about 
an honest Alice is equivalent to a leak of the share of the 
cheating player and we have seen that this does not harm 
the security of the secret sharing (Lemma 23). The cor- 
rectness of the secret sharing, which implies the binding 
property of the bit commitment, cannot be harmed by 
shares which become publicly known. 

Second: Alice is dishonest. Then Bob must be hon- 
est or we cannot expect a bit commitment to work. All 
shares the public ones as well as the only privately known 
ones pass the verifiable secret sharing test whenever the 
protocol has terminated and Alice has not been detected 
cheating. Hence every honest player is convinced that if 
Bob is honest then the secret is properly shared. This 
follows directly from the properties of the verifiable se- 
cret shar ing scheme of [Q which was sketched in Subsec- 
tion 1IC . The security of the protocol is not an issue if 
Alice is dishonest. □ 



From the same arguments as used in Lemma |l9| it is 
clear that the above bit commitment can be used to force 
measurements. As the direction of an oblivious transfer 
can be inverted fl2|| the directions of the bit commitments 
do not matter any more. Hence we can conclude the 
following. 

Corollary 25 Let P be a set of players for which each 
pair of players is connected by a quantum channel and 
an authenticated insecure channel and every player has 
access to a broadcast channel. Let A be an adversary 
structure for which no two collusions cover the set P \ 
{Pi} for any player Pi and let M be any maximal set 
in A. Then for every pair of players, who will not be in 
conflict after the protocol, an oblivious transfer is possible 
which is A-robust and {A C \A £ A} U M c -secure. 

In the next section we will use the oblivious transfer of 
this corollary to implement multiparty computations. 



A. Main Results 

This section is separated in two subsections the first 
considering only partially robust protocols, i. e., protocols 
which are aborted whenever a conflict occurs and the 
second subsection deals with robust protocols tolerating 
every form of cheating and disruption. 



B. Partially Robust Protocols 

Combining the results of Corollary [l2|, Corollary [2^ , 
and jl^] we get the following result without further proof. 

Theorem 26 Let P be a set of players each having ac- 
cess to a broadcast channel and let every pair of players 
of P be connected by a quantum channel and an insecure 
but authenticated classical channel. Then A-partially ro- 
bust quantum multiparty protocols for all functions exist 
if and only if no two collusions of A cover P. 

These protocols are A-secure after termination if and 
only if the adversary structure A contains at most one 
complement of a previously chosen set from A. 

Secret sharing need not be efficient, but all other pro- 
tocols used require only polynomial resources. 

Corollary 27 If secret sharing can be implemented effi- 
ciently for the access structure Z — {A C \A € .4} then the 
protocols of Theorem can be efficient. 



C. Robust Protocols 

To obtain robust protocols we must according to 
Lemma [l4| choose A such that no two possible collusions 
together contain all but one players. In this situation we 
can use Lemma ^ together with Corollary and obtain 
the following result without further proof. 







Theorem 28 Let P be a set of players each having ac- 
cess to a broadcast channel and every pair of players of 
P being connected by a quantum channel and an insecure 
but authenticated classical channel. Then A-robust quan- 
tum multiparty protocols for all functions exist if and only 
if no two collusions of A cover P \ {Pi} for any player 

Pi- 

These protocols are A-secure after termination if and 
only if the adversary structure A contains at most one 
complement of a previously chosen set from A. 

If we are interested in robustness after termination and 
not security after termination we can use the following 
result from |2^| (for a proof see |29) ) . 

Lemma 29 A multi party protocol which is A-secure af- 
ter termination is IB-robust after termination for B = 
{B\3A e A : B C A&nclB ^ ,4}. 

Again we need only polynomial resources if secret shar- 
ing is efficient. 

Corollary 30 // secret sharing can be implemented effi- 
ciently for the access structure Z — {A C \A G .4} then the 
protocols of Theorem \28 can be efficient. 
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